Researchers Find 1400 Software Vulnerabilities in Medical Supply System

Nancy Crotti

March 31, 2016

3 Min Read
MDDI logo in a gray background | MDDI

Independent researchers have uncovered 1418 third-party software vulnerabilities in outdated but still used automated supply cabinet used to dispense medical supplies, according to a federal cybersecurity advisory.

Nancy Crotti

Collaborating with CareFusion, researchers Billy Rios and Mike Ahmadi identified the vulnerabilities in end-of-life versions of CareFusion's Pyxis SupplyStation system, said the notice from the Industrial Control Systems Cyber Emergency Response Team(ICS-CERT). Ahmadi is scheduled to speak at MedTech Europe.

"These vulnerabilities could be exploited remotely," the advisory says. "Exploits that target these vulnerabilities are known to be publicly available."

Pyxis SupplyStation systems are automated cabinets that dispense medical supplies and can document usage in real time. They typically include a network of workstations, located in patient care areas throughout a facility and managed by the Pyxis SupplyCenter server, which links to the facility's existing information systems, according to ICS-CERT. The SupplyStation system is designed to provide access to supplies in "fail-safe mode" if the cabinet is rendered inoperable.

CareFusion will not provide a patch for these outdated systems, but has begun providing customers of end-of-life versions with an upgrade path. Those who choose not to upgrade can apply a series of compensating methods detailed in the advisory.

Information security professionals were not surprised at the researchers' findings, according to a report by SC Magazine.

John Smith, principal solution architect at Veracode, told SCMagazineUK.com thatmany new Internet of Things (IoT) devices pose a significant threat to healthcare.

 "Vulnerabilities will always be discovered in connected devices," Smith said. "The security of all IoT devices must be looked at holistically so that all devices, as well as their web and mobile applications, and back-end cloud services, are secure by default."

In February, hackers brought down medical devices and computing systems in a Los Angeles hospital for more than a week using ransomware,a form of malware that demands a payment before normal functioning is restored.  Hollywood Presbyterian Medical Center paid them $17,000 in bitcoin in response to a demand for more than $3.6 million to restore the records, according to the Los Angeles Times.

Researcher Ahmadi specializes in critical systems security - in which system failures can cause disastrous events that can lead to death.

"A heart is a vital organ and if it needs a pacemaker in order to survive, the pacemaker itself becomes as vital as the heart," Ahmadi said. "If you can find a vulnerability that can cause a failure, then it is actually a digital pathogen, the body doesn't differentiate anymore between a carbon-based virus and a digital one."

Note: A previous version of this article incorrecntly said that the security problems were related to infusion pumps. 

Like what you're reading? Subscribe to our daily e-newsletter.

About the Author

Nancy Crotti

Nancy Crotti is a frequent contributor to MD+DI. Reach her at [email protected].

Sign up for the QMED & MD+DI Daily newsletter.

You May Also Like